Threat Database Trojans TSPY_ZBOT.LAG

TSPY_ZBOT.LAG

By Domesticus in Trojans

Threat Scorecard

Ranking: 7,271
Threat Level: 50 % (Medium)
Infected Computers: 949
First Seen: October 17, 2012
Last Seen: September 9, 2023
OS(es) Affected: Windows

The infamous Zeus Trojan is one of the most widely distributed malware infections in existence. The TSPY_ZBOT.LAG Trojan is one more variant of this dangerous banking Trojan. These kinds of malware infections are typically distributed using social engineering scams involving fake email messages with malicious attachments or instant messaging spam. The TSPY_ZBOT.LAG variant in particular is distributed in spam email messages that spoof addresses and content from email messages from PayPal or from WebEx. Computer users that open these malicious email messages are directed to a fake version of the Adobe Flash website where a malicious file named update_flash_player.exe is downloaded onto the victim's computer. The use of this fake Adobe Flash Player has been found in various other malware attacks earlier this year. In the case of the version of this threat that is used to distribute TSPY_ZBOT.LAG, this malicious file is detected as TSPY_FAREIT.SMC.

Criminals have managed to create a fake version of the Adobe Flash website that mimics components of this website, including a drop down menu that is quite difficult to recreate. Malicious email messages used to carry out this social engineering attack will typically contain an HTM file attachment which leads computer users to this fake Adobe Flash Website. Email messages associated with this scam will claim to contain information about a WebEx conference or about a recent PayPal transaction in their attachment.

How TSPY_ZBOT.LAG is Used to Attack Computer Users

TSPY_ZBOT.LAG and the many variants of the Zeus Trojan or Zbot Trojan are mainly used to steal private information. Criminals will typically use TSPY_ZBOT.LAG to steal online banking information and personal data such as credit card details, online email passwords or website and FTP login information. TSPY_ZBOT.LAG and its variants hide in the victim's computer, running in the background and consuming few system resources. TSPY_ZBOT.LAG can remain undetected for long periods of time, preventing the victim from realizing its presence before TSPY_ZBOT.LAG manages to steal important information from the infected computer. Due to the fact that TSPY_ZBOT.LAG can endanger your bank account and online accounts, this malware threat should be removed promptly with a reliable anti-malware program. If you believe that you had contact with TSPY_ZBOT.LAG, ESG malware analysts advise immediate action to prevent the loss of your money and of valuable, confidential information.

File System Details

TSPY_ZBOT.LAG may create the following file(s):
# File Name Detections
1. %User Profile%\Application Data\{RANDOM CHARACTERS1}\{RANDOM CHARACTERS}.exe
2. %User Profile%\Application Data\{RANDOM CHARACTERS2}\{RANDOM CHARACTERS}.{RANDOM CHARACTERS}
3. %User Profile%\Application Data\Microsoft\Address Book\{username}.wab

Registry Details

TSPY_ZBOT.LAG may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {GUID} = "%User Profile%\Application Data\{RANDOM CHARACTERS1}\{RANDOM CHARACTERS}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PrivacyCleanCookies = "0"
HKEY_CURRENT_USER\Software\Microsoft\{RANDOM CHARACTERS}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List{port}:UDP = "{port}:UDP:Enabled:UDP {port}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\WAB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List{port}:TCP = "{port}:TCP:Enabled:TCP {port}"

Trending

Most Viewed

Loading...